skip to main content
How Vulnerable Are Healthcare Organizations Under HIPAA?

How Vulnerable Are Healthcare Organizations Under HIPAA?

by Rick Blizzard

The Health Insurance Portability and Accountability Act (HIPAA) privacy rule, passed in 1996, was designed to protect the privacy of individuals' medical information. (See "Access Denied: Americans Wary of Information Release" in Related Items.) The rule's compliance deadline is April 2003, although the U.S. Department of Health and Human Services (HHS) proposed major changes to it in March 2002 -- changes currently steeped in political controversy. Healthcare organizations attempting to comply with the HIPAA privacy rule are chasing a moving target. Regardless of the final privacy rules, healthcare organizations will be required to tell patients they have a right to lodge privacy complaints with the HHS Office for Civil Rights.

In what areas is privacy of most concern, according to consumers of healthcare services? During 2001, Gallup asked 136,179 inpatients and 98,278 emergency department patients about their satisfaction with hospital staffs' respect for their privacy. Inpatients were more likely than emergency department patients to express dissatisfaction with healthcare organizations' respect for their privacy -- 5.3% of the former group did so, compared to 2.9% of the latter.

While patient satisfaction levels with hospital staff respect for privacy do not necessarily reflect an organization's preparation for HIPAA compliance, levels of dissatisfaction can be used to infer the likelihood of patient complaints. Based on 2001 results, hospitals are currently more vulnerable to HIPAA complaints from inpatients than emergency department patients. With more than 5% of inpatients either somewhat or very dissatisfied with the facility's respect for their privacy, hospitals should feel they have some work to do before the privacy compliance deadline.

Some geographic regions of the country have higher-than-average levels of patient dissatisfaction with staff respect for privacy. For example, 6.2% of inpatients surveyed in CMS Region IX (a western geographic region defined by the U.S. Centers for Medicare and Medicaid Services, which includes California, Arizona, Nevada, Hawaii and two U.S. territories) report being dissatisfied with staff respect for privacy. In part, geographic variation in dissatisfaction with privacy may be a function of the level of consumer activism and awareness of privacy issues and regulations. Gallup's experience in interviewing patients indicates that as awareness of privacy regulations increases, sensitivity to the issue also increases. Thus, it is likely that as the publicity generated by the approach of HIPAA privacy compliance approaches, hospitals' levels of vulnerability to privacy complaints may increase as well.

Key Points

Healthcare organizations are focusing large amounts of time and money on information systems and process-flow issues to comply with HIPAA. Yet a key element of HIPAA compliance vulnerability is being overlooked. Dissatisfied inpatients are a likely source of HIPAA-based complaints. To address this dissatisfaction, hospitals must focus not just on systems and process, but also on training inpatient staff about the critical nature of respect for patient privacy.

Gallup World Headquarters, 901 F Street, Washington, D.C., 20001, U.S.A
+1 202.715.3030